CVE-2017-11501 - Vulnerability Details - OpenCVE

NixOS 17.03 and earlier has an unintended default absence of SSL Certificate Validation for LDAP. The users.ldap NixOS module implements user authentication against LDAP servers via a PAM module. It was found that if TLS is enabled to connect to the LDAP server with users.ldap.useTLS, peer verification will be unconditionally disabled in /etc/ldap.conf.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00149.

Key SSVC decision points have not yet been added.

Vendors	Products
Nixos Project	Nixos

Configuration 1 [-]

cpe:2.3:o:nixos_project:nixos:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2017-3119	NixOS 17.03 and earlier has an unintended default absence of SSL Certificate Validation for LDAP. The users.ldap NixOS module implements user authentication against LDAP servers via a PAM module. It was found that if TLS is enabled to connect to the LDAP server with users.ldap.useTLS, peer verification will be unconditionally disabled in /etc/ldap.conf.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
http://openwall.com/lists/oss-security/2017/07/20/1
https://github.com/NixOS/nixpkgs/issues/27506
https://groups.google.com/forum/#%21topic/nix-security-announce/qrDU0KH_ZRk

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2017-07-20T23:00:00

Updated: 2024-08-05T18:12:40.130Z

Reserved: 2017-07-20T00:00:00

Link: CVE-2017-11501

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2017-07-20T23:29:00.247

Modified: 2025-04-20T01:37:25.860

Link: CVE-2017-11501

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2017-07-20T00:00:00", "descriptions": [{"lang": "en", "value": "NixOS 17.03 and earlier has an unintended default absence of SSL Certificate Validation for LDAP. The users.ldap NixOS module implements user authentication against LDAP servers via a PAM module. It was found that if TLS is enabled to connect to the LDAP server with users.ldap.useTLS, peer verification will be unconditionally disabled in /etc/ldap.conf."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-07-20T23:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "http://openwall.com/lists/oss-security/2017/07/20/1"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://groups.google.com/forum/#%21topic/nix-security-announce/qrDU0KH_ZRk"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/NixOS/nixpkgs/issues/27506"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2017-11501", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "NixOS 17.03 and earlier has an unintended default absence of SSL Certificate Validation for LDAP. The users.ldap NixOS module implements user authentication against LDAP servers via a PAM module. It was found that if TLS is enabled to connect to the LDAP server with users.ldap.useTLS, peer verification will be unconditionally disabled in /etc/ldap.conf."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://openwall.com/lists/oss-security/2017/07/20/1", "refsource": "CONFIRM", "url": "http://openwall.com/lists/oss-security/2017/07/20/1"}, {"name": "https://groups.google.com/forum/#!topic/nix-security-announce/qrDU0KH_ZRk", "refsource": "CONFIRM", "url": "https://groups.google.com/forum/#!topic/nix-security-announce/qrDU0KH_ZRk"}, {"name": "https://github.com/NixOS/nixpkgs/issues/27506", "refsource": "CONFIRM", "url": "https://github.com/NixOS/nixpkgs/issues/27506"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T18:12:40.130Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://openwall.com/lists/oss-security/2017/07/20/1"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://groups.google.com/forum/#%21topic/nix-security-announce/qrDU0KH_ZRk"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/NixOS/nixpkgs/issues/27506"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-11501", "datePublished": "2017-07-20T23:00:00", "dateReserved": "2017-07-20T00:00:00", "dateUpdated": "2024-08-05T18:12:40.130Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:nixos_project:nixos:*:*:*:*:*:*:*:*", "matchCriteriaId": "17B2506F-7453-4F4D-BC34-94FD6A02DB24", "versionEndIncluding": "17.03", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "NixOS 17.03 and earlier has an unintended default absence of SSL Certificate Validation for LDAP. The users.ldap NixOS module implements user authentication against LDAP servers via a PAM module. It was found that if TLS is enabled to connect to the LDAP server with users.ldap.useTLS, peer verification will be unconditionally disabled in /etc/ldap.conf."}, {"lang": "es", "value": "NixOS versi\u00f3n 17.03 y anteriores tienen una ausencia predeterminada involuntaria de la comprobaci\u00f3n de certificado SSL para LDAP. El m\u00f3dulo users.ldap NixOS implementa la identificaci\u00f3n de usuarios contra servidores LDAP por medio de un m\u00f3dulo PAM. Se encontr\u00f3 que si TLS est\u00e1 habilitado para conectarse al servidor LDAP con users.ldap.useTLS, la verificaci\u00f3n entre iguales se deshabilitar\u00e1 incondicionalmente en /etc/ldap.conf."}], "id": "CVE-2017-11501", "lastModified": "2025-04-20T01:37:25.860", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-07-20T23:29:00.247", "references": [{"source": "cve@mitre.org", "tags": ["Mailing List", "Mitigation", "Patch", "Third Party Advisory"], "url": "http://openwall.com/lists/oss-security/2017/07/20/1"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://github.com/NixOS/nixpkgs/issues/27506"}, {"source": "cve@mitre.org", "url": "https://groups.google.com/forum/#%21topic/nix-security-announce/qrDU0KH_ZRk"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Mitigation", "Patch", "Third Party Advisory"], "url": "http://openwall.com/lists/oss-security/2017/07/20/1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://github.com/NixOS/nixpkgs/issues/27506"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://groups.google.com/forum/#%21topic/nix-security-announce/qrDU0KH_ZRk"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "nvd@nist.gov", "type": "Primary"}]}